1 / 14

Common Change Management Challenges for Companies Running Oracle Applications

Common Change Management Challenges for Companies Running Oracle Applications. Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars. Presentation Agenda. Overview: Introductions IIA Standards Common Change Management Challenges Q&A Public Domain Collaboration

chavi
Download Presentation

Common Change Management Challenges for Companies Running Oracle Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Common Change Management Challenges for Companies Running Oracle Applications Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars

  2. Presentation Agenda • Overview: • Introductions • IIA Standards • Common Change Management Challenges • Q&A • Public Domain Collaboration • Oracle Apps Internal Controls Repository • OUBPB / ERP Seminars Initiatives • Other Resources • Contact Information © 2008 ERPS

  3. Introductions • Jeffrey T. Hare, CPA CISA CIA • Founder of ERP Seminars and Oracle User Best Practices Board • Written various white papers on SOX Best Practices in an Oracle Applications environment • Frequent contributor to OAUG’s Insight magazine • Experience includes Big 4 audit, 6 years in CFO/Controller roles – both auditor and audited perspectives • In Oracle applications space since 1998– both client and consultant perspectives • Founder of Internal Controls Repository - public domain internal controls repository for end users © 2008 ERPS

  4. Introductions • Jeffrey T. Hare, CPA CISA CIA • Founder of ERP Seminars and Oracle User Best Practices Board • Written various white papers on SOX Best Practices in an Oracle Applications environment • Frequent contributor to OAUG’s Insight magazine • Experience includes Big 4 audit, 6 years in CFO/Controller roles – both auditor and audited perspectives • In Oracle applications space since 1998– both client and consultant perspectives • Founder of Internal Controls Repository - public domain internal controls repository for end users © 2008 ERPS

  5. IIA Standards IIA’s Global Technology Audit Guide #2 - Change and Patch Management Controls: Critical for Organizational Success can be found at: http://www.theiia.org/guidance/technology/gtag/gtag2/ © 2008 ERPS

  6. Common Change Management Challenges Failure to take into account request groups access in design of security – request groups should be defined from the ground up for each responsibility as they allow for concurrent program access and access to sensitive data, some in standard request groups Forms-based setups not being considered – some forms based setup changes have the impact of code change; change management is done to protect the integrity of the process Change made in various forms that allow SQL statements embedded in them are not required to go through change management process – all activity in SQL forms should go through CM process, be audited and compared to SQL that has been peer-reviewed and was approved in the Change Management ticket (see list of forms in Internal Controls Repository and keep current with recommendations in Metalink Note 189367.1) © 2008 ERPS

  7. Common Change Management Challenges Excessive access to forms requiring change management – Example - Financials submenu in various menus and contains DFFs, KFFs, Value Set, Value Set Maint, Cross Validation Rules, Security Rules… Failure to clearly document who is responsible for implementing change – Management should determine and document who are the appropriate Change Implementers Failure to test for unauthorized changes – Anything that should go through CM process should be subject to audit. Need to develop a log or trigger based audit trail and compare to approved changes © 2008 ERPS

  8. Common Change Management Challenges Failure to remediate issues that cause for unauthorized changes – need to do root cause analysis of unauthorized changes and remediate issues Failure to maintain documentation – BR100s and BR110s should be kept current; user documentation; IT documentation; process documentation; internal controls testing; test scripts. Poor impact analysis leading to a poor testing process – usually too much turf wars and not enough cooperation; requires tight cooperation between IT and functional users © 2008 ERPS

  9. Q & A

  10. Public Domain Collaboration • What is needed are standards for collection of: • Tables to audit as data is migrated (for example banks) • Additional functions and functionality is added • Internal Controls Repository: http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/ • Publishing list of critical forms, tables, columns to audit prioritized by risk • Promoting use of our risk assessment process as the standard in the industry with agreement on language and mapped to the function level • Public domain collaboration will insure consistency and quality © 2008 ERPS

  11. Oracle Apps Internal Controls Repository • Internal Controls Repository Content: • White Papers such as Accessing the database without having a database login, Best Practices for Bank Account Entry and Assignment, Using a Risk Based Assessment for User Access Controls, Internal Controls Best Practices for Oracle’s Journal Approval Process • Oracle apps internal controls deficiencies and common solutions • Mapping of sensitive data to the table and columns • Identification of reports with access to sensitive data • http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/ © 2008 ERPS

  12. Other Resources • Oracle Users Best Practices Board: www.oubpb.com • Cam’s white paper on Auditing the DBA at: http://www.absolute-tech.com/products/whitepapers.htm • Integrigy white papers at: http://www.integrigy.com/security-resources • Solution Beacon: http://www.solutionbeacon.com/security.htm • Oracle internal controls and security public listserver: http://tech.groups.yahoo.com/group/OracleSox/ © 2008 ERPS

  13. Best Practices Caveat Best Practices Caveat The Best Practices cited in this presentation have not been validated with your external auditors nor has there been any systematic study of industry practices to determine they are ‘in fact’ Best Practices for a representative sample of companies attempting to comply with the Sarbanes-Oxley Act of 2002 or other corporate governance initiatives mentioned. The Best Practice examples given here should not substitute for accounting or legal advice for your organization and provide no indemnification from fraud or material misstatements in your financial statements or control deficiencies. © 2008 ERPS

  14. Contact Information Jeffrey T. Hare, CPA CISA CIA • Phone: 602-769-9049 • E-mail: jhare@erpseminars.com • Websites: www.erpseminars.com, www.oubpb.com • Oracle SOX eGroup at http://groups.yahoo.com/group/OracleSox • Internal Controls Repository http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/ © 2008 ERPS

More Related